AWS Security ChangesHomeSearch

AWS emr medium security documentation change

Service: emr · 2025-06-19 · Security-related medium

File: emr/latest/EMR-Serverless-UserGuide/lake-formation-unfiltered-access.md

Summary

Updated documentation for Lake Formation full table access in EMR Serverless, including cross-account/region requirements, SUPER permission clarification, metastore prerequisites, and Spark configuration details.

Security assessment

Clarifies critical security configurations including cross-account access requirements, Lake Formation SUPER permissions, and metastore setup to prevent unauthorized data access. The APPEND mode restriction mitigates accidental data overwrites.

Diff

diff --git a/emr/latest/EMR-Serverless-UserGuide/lake-formation-unfiltered-access.md b/emr/latest/EMR-Serverless-UserGuide/lake-formation-unfiltered-access.md
index 984184e4b..78b35383a 100644
--- a//emr/latest/EMR-Serverless-UserGuide/lake-formation-unfiltered-access.md
+++ b//emr/latest/EMR-Serverless-UserGuide/lake-formation-unfiltered-access.md
@@ -7 +7 @@ Using Lake Formation with full table access
-# Lake Formation unfiltered access
+# Lake Formation unfiltered access for EMR Serverless
@@ -22,0 +23,4 @@ To use Full Table Access (FTA) mode, you need to allow third-party query engines
+###### Note
+
+When accessing cross-account tables, full-table access must be enabled in both producer and consumer accounts. In the same manner, when accessing cross-region tables, this setting must be enabled in both producer and consumer regions. 
+
@@ -82 +86 @@ The following is an example policy of how to provide IAM permissions to access a
-  * Spark jobs that write/delete data in S3 require Lake Formation ALL permission.
+  * Spark jobs that write/delete data in S3 require Lake Formation ALL (SUPER) permission.
@@ -88,0 +93,2 @@ The following is an example policy of how to provide IAM permissions to access a
+For more information, see [Granting permissions on Data Catalog resources](https://docs.aws.amazon.com/lake-formation/latest/dg/granting-catalog-permissions.html).
+
@@ -90,0 +97,12 @@ The following is an example policy of how to provide IAM permissions to access a
+#### Prerequisites
+
+AWS Glue Data Catalog must be configured as a metastore to access Lake Formation tables.
+
+Set the following settings to configure Glue catalog as a metastore:
+    
+    
+    --conf spark.sql.catalogImplementation=hive
+    --conf spark.hive.metastore.client.factory.class=com.amazonaws.glue.catalog.metastore.AWSGlueDataCatalogHiveClientFactory
+
+For more information on enabling Data Catalog for EMR Serverless, see [Metastore configuration for EMR Serverless](emr/latest/EMR-Serverless-UserGuide/metastore-config.html).
+
@@ -110,0 +129 @@ Iceberg
+    --conf spark.sql.catalog.spark_catalog.type=glue
@@ -159,0 +179 @@ For Iceberg tables
+            "spark.sql.catalog.spark_catalog.type": "glue",
@@ -162 +182 @@ For Iceberg tables
-            "spark.sql.catalog.dropDirectoryBeforeTable.enabled": true
+            "spark.sql.catalog.dropDirectoryBeforeTable.enabled": true, 
@@ -233,0 +254,2 @@ Operations not listed above will continue to use IAM permissions to access table
+  * When writing Spark DataFrame to a Lake Formation table, only APPEND mode is supported: `df.write.mode("append").saveAsTable(`table_name`)`
+